Today Kaspersky Lab’s Global Research & Analysis Team published a research report about TeamSpy, an active cyber-surveillance malware campaign targeting high level political and human rights activists located in Eastern Europe and in countries belonging to the Commonwealth of Independent States (CIS). Additional victims include intelligence agencies, energy and heavy industry manufacturers.

The TeamSpy campaign was first announced earlier today by the Laboratory of Cryptography and System Security (CrySyS Lab) and the Hungarian Government. CrySysLab issued a research post with its own analysis of the campaign.

According to Kaspersky Lab’s report, the TeamSpy malware is designed to perform a sustained level of cyber-surveillance on its victims while stealing sensitive data and information for geopolitical reconnaissance.

Kaspersky Lab’s Summary Research Findings

TeamSpy is currently an active operation and poses a significant threat to information agencies across the world, notably in former Soviet Republics and countries in Eastern Europe.

Kaspersky Lab’s experts first identified traces of the TeamSpy operation in April 2012 after a number of high-profile Belarusian political and social activists publicly announced that their systems were infected with the cyberespionage malware; however, further analysis of TeamSpy’s Command and Control (C2) infrastructure revealed that one of the domain names was registered in 2004, which indicates the TeamSpy operation could have been active for nearly a decade.

The TeamSpy attackers remotely control the malware running on victim computers by using the TeamViewer (teamviewer.exe) application, which is signed with legitimate digital certificates. Through TeamViewer, the attackers are able to perform a number of data-theft operations on infected machines. The type of sensitive data or information being exfiltrated from TeamSpy’s victims includes:

Confidential or important office documents and PDF files

Private cryptographic keys and passwords used to access sensitive information

The Apple iOS device history data from iTunes

Detailed system configurations, including OS and BIOS information

Captured keylogger strokes, screenshots and disc images

To read Kaspersky Lab’s research post and FAQ about TeamSpy, please visit Securelist.

Kaspersky Lab’s full research report of the TeamSpy malware, which contains more technical details of the analysis, can be found here.